1. Start zero trust afresh using a modern approach
When Blockbuster attempted to outsmart Netflix, they connected a bunch of DVD players to the cloud. This obviously didn’t produce the right fidelity and Blockbuster went bust. Fundamentally, they made the wrong architectural choice. Similarly, with zero trust, it’s important to consider technical debt and architect your security from the ground up. If organizations simply layer security on top, they will do more harm, introduce more loopholes, and create more complexities for managing security.
2. Reduce your attack surface using a security cloud
Always remember this: if you’re reachable, you’re breachable. Hence, if applications are exposed to the internet, chances are attackers will compromise it. Therefore, applications and servers must always be placed behind a security cloud to avoid this attack vector. Now, when an attacker knocks at your door, it’s a switchboard and not a door. The switchboard says, “Okay, where are you trying to go? I’ll bridge that connection for you. I’m not going to directly connect you to that application.” This is an important element of a zero-trust architecture.
3. Use segmentation to prevent lateral movement
While network segmentation is not new, zero trust encourages micro-segmentation. What this means is that organizations should segment or bifurcate networks, workloads, and applications at a granular level. Should adversaries breach your environment, micro-segmentation helps limit lateral movement, contains the threat, and restricts the malware from spreading across the entire environment.
4. Deploy fine-grained user access
Human error is inevitable. It’s the reason why most cloud breaches and ransomware attacks happen. If attackers gain access to a privileged user’s account, they can leverage it to steal sensitive information, take systems offline, hijack them, or move laterally across the network and compromise other systems. In a zero-trust world, users have access to things they are supposed to access and nothing more.
It’s not just an identity that is checked. You must review a few contextual parameters (time of access, location from where the request originated, type of device, etc.). To do this, organizations must enforce the principle of least privilege, apply granular permissions and deploy authentication mechanisms that take into account both identity as well as context.
5. Always keep user experience in mind
The fastest way to kill a zero-trust project is by disrupting users. If you deploy the architecture properly, user experience can actually get a boost, which can help reduce internal friction. For example, if authentication is seamless, access and connectivity will be easier; users will happily embrace zero trust.